Sorry, apparently the new GPGMail extension I have doesn't quite work right.. Or I have a setting wrong.. Let's try this again without that enabled...
Hi all,
OSSEC 2.6 on a CentOS 5.6 system.
I was just nailed with an SSH brute force attack which =
apparently lasted a while. I received a whole bunch of mails from OSSEC =
about it, yet it did nothing to stop it.. I understand why for some of =
the messages, but not others.
For instance, the following triggered an active response, as =
expected, but unfortunately, the attack wasn't stopped because the =
reverse address was invalid.
OSSEC HIDS Notification.
2011 Aug 15 20:53:06
Received From: myserver->/var/log/secure
Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of =
reverse lookup errors)."
Portion of the log(s):
Aug 15 20:53:05 myserver sshd[23210]: reverse mapping checking =
getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE =
BREAK-IN ATTEMPT!
Aug 15 20:53:01 myserver sshd[23207]: reverse mapping checking =
getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE =
BREAK-IN ATTEMPT!
Aug 15 20:53:01 myserver sshd[23205]: reverse mapping checking =
getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE =
BREAK-IN ATTEMPT!
Aug 15 20:52:57 myserver sshd[23178]: reverse mapping checking =
getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE =
BREAK-IN ATTEMPT!
Aug 15 20:52:57 myserver sshd[23166]: reverse mapping checking =
getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE =
BREAK-IN ATTEMPT!
Aug 15 20:52:54 myserver sshd[23141]: reverse mapping checking =
getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE =
BREAK-IN ATTEMPT!
--END OF NOTIFICATION
[me@ myserver ~]$ host 122-146-120-139.static.sparqnet.net
Host 122-146-120-139.static.sparqnet.net not found: 3(NXDOMAIN)
[me@myserver ~]$=20
Sure, I get it. Not sure how to prevent that one, though the forward =
address is easily handled by another alert, right? Apparently not, =
though. Here's the alert that never triggered an active response :
OSSEC HIDS Notification.
2011 Aug 15 21:02:52
Received From: myserver->/var/log/secure
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period =
of time."
Portion of the log(s):
Aug 15 21:02:51 myserver sshd[29303]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:51 myserver sshd[29302]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:47 myserver sshd[29220]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:47 myserver sshd[29219]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:43 myserver sshd[29213]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:43 myserver sshd[29212]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:39 myserver sshd[29209]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
Aug 15 21:02:39 myserver sshd[29208]: pam_unix(sshd:auth): =
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D =
rhost=3D122.146.120.139=20
--END OF NOTIFICATION
Nothing in the active response log. Nothing in the ossec.log=85 Here =
are the last two entries in the ossec.log :
2011/08/15 19:04:35 ossec-syscheckd: INFO: Ending syscheck scan.
2011/08/15 21:09:35 ossec-syscheckd: INFO: Starting syscheck scan.
And a grep of rule 5551 from the active-responses.log :
[root@myserver logs]# grep 5551 active-responses.log
[root@myserver logs]#=20
So what gives? My active response section in ossec.conf seems to be =
correct :
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>21600</timeout>
<repeated_offenders>720,1440,10080</repeated_offenders>
</active-response>
I'm at a loss.. Any thoughts?
---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
PGP.sig
Description: OpenPGP digital signature
